The GDPR (General Data Protection Regulation) is an important piece of legislation that is designed to strengthen and unify data protection laws for all individuals within the European Union. The regulation will become effective and enforceable on the 25th May 2018.

Our commitment: Skiddle is fully committed to achieving compliance with the GDPR prior to the regulation’s effective date.

What we are doing to be compliant?

We are taking many steps across our business to ensure we are GDPR compliant:

Thoroughly research the areas of our business impacted by GDPR – IN PROGRESS

Appoint a Data Protection Manager – COMPLETE

Rewrite our Data Protection Agreement – ONGOING

Rewrite our Privacy Policy – ONGOING

Create a roadmap of all data and assess the new risks – IN PROGRESS

Assess all third-party company data policies – IN PROGRESS

Perform the necessary changes/improvements to our product based on the requirements – IN PROGRESS

Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – IN PROGRESS

What changes are Skiddle making to become GDPR compliant?

Skiddle is taking many steps to ensure we are fully GDPR compliant. We changed our check out process a while back, way before GDPR had been announced. Customers now have to opt-in if they wish to be on any marketing lists, this fully complies with GDPR.

We have attended numerous courses and are in the process of rolling out full training to all of our staff.

We are currently looking into all our data processes to assess the risk to the Data Subject, once these data protection impact assessments have taken place we will be able to add in extra security measures. Just as a note, currently a Data Subjects data is very secure under the current Data Protection Act within Skiddle. We’ve always taken extra measures to ensure this.

What does all this mean to a customer?

At Skiddle customer data is already kept very secure but under the new GDPR regulations, it just means we’ll be even tighter on security and be more transparent about how we market directly.

We have never nor will ever sell customer data on to any third parties. The only person who will be able to access to this data will be the promoter of the event, this is so they can communicate any important messages, it is also essential they have your information so they can provide a smooth entrance on the date of the event. If a customer has opted into marketing promoters may use the email address from time to time to market relevant events.

If a customer has opted out then all they may receive is important information from us about the event, for example, a cancellation or rescheduling of the event, or if our Customer Care team need to contact about any ticket issues.

If you want to know any further information about how we process customer data please take a look at our current privacy policy HERE

What do Skiddle promoters need to do?

First of all, we are here to help! If you have any questions do not hesitate to contact us, we will assist you where we can. Having been on a number of courses we hold quite a bit of information on best practices, however, whilst we can advise you it is best you seek legal advice if you are unsure.

Moving forward

“Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of the Data Protection Act 1998 (DPA) and the EU General Data Protection Regulation (GDPR). The most common way to provide this information is in a privacy notice.”

Promoters will need to make sure they have policies set on how customer data is handled. If a customer has opted in for marketing then you must make sure you communicate how you use their data, if you do not have a privacy policy then now is the time to get one in place. This requirement has always been part of Skiddle’s Terms of Service under the Data Protection Act, but the GDPR can penalise you if you have not done this clearly or you are in breach of the GDPR. There is a great article on the ICO website about Privacy Policies HERE

It is advised to also have a retention policy in place, this means looking at why you hold onto the data. If you have a valid reason to do so then make sure you document this. There is no rule on the length of time but common sense should prevail when looking at this policy. Think about it, you have data going back 3+ years, you’ve never heard from the customer or they haven’t made a purchase since their original purchase, is that data still valid? Probably not. If you were to have a data breach and that data was used maliciously then the ICO will ask you why you were holding data that isn’t relevant. You would also probably receive a fine for not complying. So it’s time to have a think.

Shortly we will be creating an agreement when you download the customer data/list, this agreement must be confirmed digitally before you will be able to download any data files moving forward. We will only need you to do this once, this agreement will stay on your file and will replace the old data protection agreements in place. We aim to have this in place pre-25th May 2018.

The agreement will be in place to protect the Data Subject, as a Promoter, it is your responsibility to make sure the data is kept safe. The customer data file will be encrypted moving forward, whilst we still aim to make this a simple process for you, we need to think about the vulnerability in accessing this data. We are currently looking at ways to do this.

A few tips on becoming GDPR compliant

Be secure

It is your responsibility to secure the customer’s data once you have it. If you have a data breach and your customer’s data is stolen, the ICO can hit you with a hefty fine. So make sure you password protect or encrypt your files and or emails to keep the data safe. Do not let anyone else have access to data that they shouldn’t have.

Subject Access Request

If you receive contact from a customer asking why they are receiving marketing from you, it is your responsibility to advise them how you obtained their data, and why they are receiving it, in most cases it may be a perfectly reasonable reason why they have received a mailshot, but you must advise them within 30 days of their request, failure to do so could result in the Data Subject taking you to a small claims court.

Right to be forgotten

If a Data Subject asks you to be forgotten or removed from your database you must adhere to this request, if you do not and they receive further marketing from you then once again you could end up with a fine or a claim made against you.

I’m still confused by it all

Don’t worry, it is a lot to take in but if you are still unsure about GDPR then please take the time to read the ICO’s website HERE there is a lot of useful information especially under the ‘guides to legislation’ section. The ICO is there to guide you, so if you have any questions please do not hesitate to contact them directly.